Posted
by
Zonkon Sunday July 16, 2006 @06:32AM
from the microsoft's-least-favorite-day dept.

whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case. From the article: "This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack."

...because more vulnerabilities will cause more people to consider switching to something like OpenOffice, right?

Yeah right. The vast majority of the people who stick with Office these days are people who won't switch unless the alternative is 100% in every way, shape, and form "compatible" with (which to them means exactly the same as) Office.

Must be nice to be Microsoft, where you don't have to give a shit about your customers...

"[...] people [...] won't switch unless the alternative is 100% in every way, shape, and form 'compatible' with [...] Office"

Exactly. This is why we need to get these security vulnerabilities in MS Office to work in OpenOffice, ASAP. It's all about compatibility, baby.

Seriously, though, I don't agree with the quote. Of course people want compatibility. But they also want security. Using MS office is a tradeoff: more compatibility, less security. When the tradeoff gets less comfortable, rational people will reconsider their options.

A) Who said OpenOffice didn't have security problems? Of course it does.

B) As the dominant Office suite, MS Office has both security problems and actual exploits. TFA mentions one such. Of course OpenOffice is going to have fewer actual exploits, because it has less market share; all the money is in breaking into MS Office.

Then again, even if it was wholly compatable and faster, the majority of users out there don't even know that alternatives exist. They can't switch if they don't know an alternative exists. The majority of users see their computer as a mystical box that "just works" and see constant attack by spyware, adware, viruses and other malware as a price of using the computer. They think that Microsoft is required for their computer to run. They make a minimal differentiation, if any at all, between Windows, Office

Plus with an open documented format, you can weed out a lot of things by parsing the document...

Embedded binaries, recogniseable shellcode, macros, and many other nasties embedded in an open document can be detected, and the xml data itself can be validated against the schema to further cut out a percentage of nasties...MS on the other hand uses a binary blob, which is much harder to sort through.

Equally valid would be to say:premise 1: 30% of all traffic accidents are caused by drunk drivers...-> premise 2: Therefore, 70% of all accidents must be caused by sober drivers...-> conclusion: you are safer driving while drunk than sober.

The security in OOo's case is the fact that there exists a body of developers who are more likely to fix (or accept patches for) vulnerabilities as they are found simply as a consequenc

The security in OOo's case is the fact that there exists a body of developers who are more likely to fix (or accept patches for) vulnerabilities as they are found simply as a consequence of the exposure of their code to the world's scrutiny.

Your basis for the assumption OO developers are more likely to fix bugs ?

Microsoft's marketing department has even less incentive than usual to repair this PowerPoint bug, or for that matter, other bugs in MS Office. Not with sales of the new version of Office just over the horizon. Since Marketing has always been the dominant department of Microsoft, I expect that the compahy will exhibit even more footdragging than usual in getting these bugs fixed.

But OpenOffice.org is not driven by the same motivations. It appears that pride of wo

As the dominant Office suite, MS Office has both security problems and actual exploits. TFA mentions one such. Of course OpenOffice is going to have fewer actual exploits, because it has less market share; all the money is in breaking into MS Office.

Marketshare has no relation to security problems. I know this, because everyone on Slashdot keeps telling me it's true.

Of course people want compatibility. But they also want security.
Nonsense. Most BAs couldn't ive a crap about security, and couldn't understand if you drew them a pretty picture using all 64 of their Crayolas. All they know is Power Point is what they know how to use and that is therefore the only tool for the job.

Using MS office is a tradeoff: more compatibility, less security. When the tradeoff gets less comfortable, rational people will reconsider their options.
Compatibility? With what? Other Of

first, for most people security just isn't worth very much. they want to be able to check it off on a list, but that's about it. MS Office says it's secure? ? done. compatibility - not just the ability to read, but the ability to look 100% visually the same - is a much, much bigger deal for most corporate folks outside of engineering.second, you're assuming a rational consumer. that is an invalid assumption that leads to the undoing of loads of business models. "consumers" should under no circumstances be u

Does that suggest that people will switch to OpenOffice rather tha Office 2007?

I'm running the beta of Office 2007 now, and there's no doubt that it's the biggest change to the Office interface since the switch from DOS. The new "ribbon" interface is a little easier of novices to do normal tasks with, but is a real hindrance to power users familiar with the '95-03 style Offices.

Anyone who's already productive with the older apps will find it easier to shift to OOo than to Office 2007. There's a few new tricks under the hood of the suite, but nothing compelling enough to pay the cost of the new version. In fact, Access coders are definitely going to want to look for alternatives. The new version is pitched much more at desktop experimenters, to the serious detriment of professional developers.

Unfamiliarity is what stops a majority of people from using openoffice...Perhaps the radically different interface in msoffice 2007 will scare people away too, it's vastly different to current versions and openoffice, and just about any other app.

As for being easier for newbies, macosx and modern linux distros are easier than windows for newbies too, the only thing keeping people away from them is being familiar with a different way of doing things.

Access "coders" need professional help. I mean of the psychiatric variety.

Tools like Access are useful for desktop experimenters. Any "professional" developers using Access to write apps are failing to grow up and use a real database. Use msql, mysql, postress, DB2, Oracle, Sybase...

If a heavy-duty database is not required, use Berkeley db. Do not be scripting a toy app for serious business use.

I've been using it for a fair while now, and it still annoys me. Thing is, at the need of the beta period I'm going to have to decide whether to stick with my existing Office version (XP), switch to Open Office, or upgrade to Office 2007.

Right now, I just can't see any reason to upgrade. I've been a Office developer for more than a decade (switched from Paradox/Lotus to Office/Access 95), so this is a big decision for me. I've been a fai

The question people need to ask is not, "why should I switch to OpenOffice", but "what is the killer feature in MS Office that I absolutely need?" Do you really need to be able to run Word on a PDA? Do you need a smooth integration between Office and Exchange? Perhaps, but it's worth reevaluating.

If the cost-benefit ratio is not strong enough to make the cost and insecurity worthwhile, abandon MS Office and use OOo. For most people it's a lot less painful than it sounds. I've even seen OOo spread like a fashion in some teams that were 100% Microsoft, as they discovered that OOo does actually work very nicely, and as they started using ODF as a standard in place of Microsoft's own formats. We did this a long time ago... we get a consistent set of tools on Windows and Linux, and documents that now conform to a global standard and which I know will still be readable in 20 years' time, whatever software or platform I'm using.

There are many alternative office suites and OOo has its flaws, mainly it's a bit slow, but it has a feature set that hits 100% of what we've used - for documents, spreadsheets, simple graphics, and presentations - for years. And I don't get the feeling, when I run it, that I'm running a code base that has hundreds of undocumented backdoors, caused deliberately, or accidentally.

MS Office is hardly the best example of a good interface. However, it blows OpenOffice out of the water.

Why do you think the popular glorified windowmanagers of Linux try to emulate Windows as much as possible? (Though in that case, it's really a moot point. At that level, familiarity of the interface is a far second to applications that are already and must continue to be in use.)

For a lot of people the killer feature is compatibility with the software everyone else is using. I run OO, and recently my wife updated her resume using it. Which was fine until she needed to email it in Word format to an recruitment agency (why they wouldn't accept PDF is beyond me). We used the export feature but the result just wouldn't render properly in Word. Luckily, we still had an old version of MSOffice lying around and that came to our rescue, but the fact that we needed it shows that using Open

email it in Word format to an recruitment agency (why they wouldn't accept PDF is beyond me)

Why? Because before the first living soul casts a glance on your resume it will be sifted for keywords, dragged through filters and rendered in some uniform way. And guess what, PDF is a presentation format, not a data storage format - there is no guarantee that you get the original textual data back from an arbitrary PDF document. So they don't accept any PDFs.

They take your name off, or at least your contact info. They add their own banner across the top. Lord only knows what else they might do to "enhance" your resume.
Really, I don't want that kind of "help".

That applies regardless of if you are a looking for a job or looking for workers...

I find this to be a pretty moot point. Depending of which version of word you are using, things can start to look very different. I've often saved docs in one version of word, only to open them up in another version, and have all the formatting messed up. This is especially true for things like Resumes which contain more than just basic formatting. Also it looks like crap when opened in word, because there's tons of words that aren't recognized, and they are all underlined in red. By far the biggest p

The resume probably ended up with a recruiting agency banner over the top, all of your wife's contact info deleted, and various odd "improvements" that could cause an awkward situation in the interview.

The question people need to ask is not, "why should I switch to OpenOffice"

The question people should have been asking since 1992 is "why should I be doing a powerpoint or clone of it when a web presentation of some form can be used later and will work on something that is available if my laptop does not like the projector, gets dropped or other problems." Going out to buy the latest version of MS Office a few minutes before the presentation because some guy has a powerpoint presentation with embedded avi

There are a couple different variable here. First, powerpoint allows people to do computer based presentations that otherwise couldn't. Powerpoint also automates the bells and whistles so people feel powerful. I personally feel that powerpoint allows us to produce the whiz bang presentations that are useful when we have no useful content, which could be a good or bad thing. I think many people are addicted to it, in the same way they are to the style control in Outlook.

Powerpoint really doesn't do anything extra for the presentation. It helps the lazy presenter, for which I am grateful, but I don't believe it helps the audience.

One of the lesser used features of Opera is the Opera Show Presentation [opera.com] format which is a nifty (albeit non-standard) way of presenting a slide show (power point like) presentation which is also represented in CSS and HTML. This could be the basis for the "web based" presentation.

I, too, have become so much safer since I turned off my antivirus software and instead relied on good old, tried-and-tested intuition to detect malicious software and vulnerabilities.

You too? I got rid of mine when I realised that I was spending far more time cleaning up after the crashy and slow antivirus software than I would have spent reinstalling windows after the (rare) virus infections. One of those cures that's worse than the disease.

PowerPoint is fugly. It is only very, very slightly better (aesthetically) than OpenOffice.org Impress. Either use Keynote (which is usuable by people with very limited computing knowledge, and can generate easy to distribute QuickTime presentations), or put together a moderate budget and create an honest-to-god animation/video.

PowerPoint is overused, and is totally inadequate for most situations. Keynote outperforms it by a huge margin; and you can get Keynote+a Mac Min

I have office installed on one of my alternate less important systems, and I still have to switch over to it for a few things that I've grown accustomed to that I cant find in Open office, at least not thats privided with the install package. One thing I've grown to enjoy out of MS Office is the evnelope and letters wizards, while OO has a very simple version of these the one in MS Office is much more developed and easier to use and setup, and I find myself switching computers and pulling up those wizards

unfortunately, in our company (and in many others, from folks i've talked to), that "killer feature" is the ability to create something which looks 100% "correct" on what the majority of people you communicate with use. we don't get MS Office for our engineers, and instead issue them OpenOffice (really NeoOffice, since we're a largely Mac shop); they don't prepare Office docs for consumption outside the company, only rarely for inside the company (outside System Engineering, which i'm embarrassed to say pro

doc is broken, why keep using that format?If you are in a technical field, consider LaTeX. I personally love LyX, a frontend for LaTeX that lets you see what you are doing (instead of just use a text editor to hack tex code).

Great output, great control, great everything but rough learning curve, unless you use LyX.

I still have tex files from over a decade ago that work fine. How many Word files from 1995 work fine for you?

And the new 1.4.2 PC LyX installer is 10x better than the old one, it automatically

Yes, the problem of "send this document to random people" is a real issue.

However, since OpenOffice has had a "create PDF" feature for ages, and since it produces really elegant PDFs, this is a solved problem.

I much prefer sending PDFs to editable documents because it prevents random modifications. When people do have to collaborate on writing a document, they can install OOo without much effort, and it is easy to learn, despite not being MS Office.

I've seen many people learn to use OpenOffice and the suggestion that its interface is hard to use is untrue. I've literally given non-technical people (office admins, sales and marketing people) a Linux box with OpenOffice and said, "go for it", and they've produced documents and spreadsheets and presentations without asking anything after, "what printer do I use".

PDFs are the answer to distributing prepared documents. PDF or HTML works fine for presentations. And if you *really* need to send someone an MS-Office format document, you use the "Save as" function to create it.

And this model has let us use OO for 4-5 years in a world where almost all of our clients use MS-Office. It works.

Oh really? I'm going through the whole recruitment process again at the moment and it's a pain in the ass.I make a specific point to send my documents as.pdf rather than whatever editor-specific file format I created it in for some of the reasons the parent outlined, only to have 60-70% of the companies e-mail me back asking for a.doc version.

What the fuck! It's created using managed XML, XSL and html2ps/ps2pdf, somebody show me a magic 'Convert to useless Microsoft format' program and I'll use it, but fo

>Yes, the problem of "send this document to random people" is a real issue.>However, since OpenOffice has had a "create PDF" feature for ages, and since it produces really elegant PDFs, this is a solved problem.

Except when you explicitly want that person to make changes and send it back...

I've never known Microsoft to allow any arbitrary Office user to phone them up...
I've never known anyone in an IT department who knows how to sort out an OOo problem either.

If I wanted to script my documents, I'd use LaTeX and do it properly.
That's text documents covered (let's ignore the massive API, thorough documentation, events, key combos, community support, pre-written example code, friends/coworkers who know it too, IDE, and easy to master language). Now what about spreadsheets and databases?

Your forced to use the built in IDE with msoffice and VBA...On the other hand Openoffice lets you write macros in java, javascript, python or it's own built in starbasic language, for all but the latter many IDE's exist for you to use, and plenty of people can already program in these languages, no need to learn a new language with such a limited scope for use.

Brown doesn't look good on any desktop. If I want a crap, I know where to perform the function, and it isn't at my desk.;-)

In any case, there's nothing stopping you from using a build of OOo that uses your native gtk2 widgets. The builds for Dropline Gnome (a Gnome distribution for Slackware) are a good case in point here.

As for not matching the GUI, speak for yourself. It fits in just fine on my Gnome desktop. Really? It doesn't fit in well on mine: http://img153.imagevenue.com/img.php?image=38652_S [imagevenue.com] creenshot_364lo.jpg They're both brown, but all the controls behave and look differently..

I have yet to crash OpenOffice [and I'm talking v1 days] with a sufficiently large document [more than 200 pages].

I have crashed OpenOffice though. I've also crashed Office. But not due to document size. Usually I hit a formatting bug or something.

As for macros rendered live... I have yet to encounter a place where that is useful. If you want an interactive pretty presentation use XHTML and a CGI script. That's at least portable and doesn't require running things on the client computer.

Can't speak for the spreadsheet component, but i've had the opposite experience with the word processing components...Open up a large textfile (how large depends on your available ram, i used about 12000 pages) in word and openoffice writer.This is plain text, no formatting or anything, the results:Word appears to load it and lets you read the first few pages, meanwhile the application is chugging away in the background... it informs you it won't be able to spell check as you type, and then hangs for a few

"I've used Openoffice on systems that have 96MB of RAM -- Other than it being a bit slow. I have not noticed any usability issues."
New rule: If you don't know what a page file/swap partition is, you don't get the rest of your post read.

If you need support you can buy it from Sun. You may have heard about Sun. I think they are a pretty large company.

"you're not going to need the pre-written macro code which is everywhere for Office,"

Office by default will not let you execute macros. Most organizations turn off the macro execution as a group policy in AD. Having said that if you have willingly chosen to open up your desktop to macro exploits and have willingly chosen to lock yourself to a vendor then you can't switch. Vendor lock sucks for an organization though. From now on you are no longer allowed to use any non MS office software ever. Good for them, sucks for you.

"you don't need the excellent VBA IDE,"

See above. You can script OO in python though, much better then VBA as far as I am concerned. There are several python IDEs around too last I checked.

"you don't need the excellent documentation,"

Wait let me check my office manual to see if it's better then the OO manual. Ooops looks like I didn't get an office manual. Seriously... There is excellent OO documentation. There are also several books which are cheaper then office.

"you're not going to use the entire systems implemented in Office (Excel and Access systems are commonplace where I work, they're commercial and not in-house software)"

If you are buying commercial apps they can (and should) use the office developer toolkit to deliver you a runtime. If they are forcing you to buy office just to run their apps then you are getting screwed. Also see the above remark about vendor lock.

"you don't mind not being able to properly use the documents everyone outside your organisation will be using, and the documents your employees will be bringing from home,"

Keep a copy of office around for those rare documents that don't translate properly. Tell your employees to use OO at home if they want to work from home. All companies have document standards.

"you don't mind the GUI not matching the rest of your system,"

When office 2007 comes out the GUI of OO will more closely match your XP box then office will.

"you don't mind using a piece of software which no-one will have audited,"

What makes you think office was audited? Who audited that commercial software package you got from that commercial vendor (you know the one that requires office to run). Who audited that messenger program half of your staff is using? I have news for you. 100% of the corporations in the world are running at least one piece of un-audited software.

"you can't wait for Office 2007 for ODF,"

The ODF support in 2007 will be read only. It will also be crippled from the looks of it.

"and you don't need a rich macro API."

You have no idea what you are talking about. None at all. Every part of OO is scriptable.

Your right, it was found by people outside the company that created the software.

This vulnerability wasn't found through auditing or the original programmers. Did you read the article ? Do you understand what a zeroday-exploint means ? Did you even read the title of this slashdot-article ?

Yeah.. In this case we were thankful enough to have the auditing done by haxors. Thank God they are auditing it finding all the bugs so they can be exploited, before MS even knows about them. Then some security firm, not MS, finds out that the is already being hole is actually being exploited. Lastly, MS, who is the only entity with access to the code, and who can actually fix the problem is the last one to hear about it. Yeah. Sounds like this system works really great.

"Gee, I don't know, maybe the fact that is a discussion on a vulnerability which was found in PowerPoint? That vulnerability didn't find itself."Lying again I see. The vulnaribility was not found by MS doing an audit. Most windows and office vulnarilibilities are not found by MS doing an audit.

RE:ODF. You provide a press release by MS to prove that it will be read/write and will not be crippled?

"Even if OOo was as richly scriptable as Office (which it simply isn't), it's multiplatform and thus can't have th

You're the one getting angry and name-calling about some true statements I made about an Office suite. If you get angry when someone speaks ill of a piece of software which isn't your own, you're a fanboy idiot. "Nooo, OpenOffice is holy! You lie, you lie! It's not true!! *sniff*"

"You're the one getting angry and name-calling about some true statements I made about an Office suite. "Why do you think I am angy? I am simply pointing out your lies. Why would I get angry about that?

"If you get angry when someone speaks ill of a piece of software which isn't your own, you're a fanboy idiot. "Nooo, OpenOffice is holy! You lie, you lie! It's not true!! *sniff*""

If you need support, you can buy it from sun (either in the form of staroffice, or seperately buy support), what support do you get from ms after you've paid $400 for the software?How do you know it's not been audited? the source is out there, many people could have...Since when has the msoffice gui matched the rest of the system either? If you want a consistent interface then koffice is for you.

Openoffice has a rich macro API too, and supports writing of macros in multiple languages.

#you're not going to need the pre-written macro code which is everywhere for Office,
# you don't need the excellent VBA IDE,
# you don't need the excellent documentation,
# you're not going to use the entire systems implemented in Office (Excel and Access systems are commonplace where I work, they're commercial and not in-house software),
# you don't mind not being able to properly use the documents everyone outside your organisation will be using, and the documents your employees will be bringing from home

Even if I open a ppt attachment by mistake, it will launch into OpenOffice. The law of diminishing returns makes far less likely that an exploit intended for one office suite used by the masses is going to work on another. That's no reason to be complacent or less vigilant, but it's just one extra layer of security between me and the attacker.

Put yourself in the shoes of a hacker. Do you waste a disproportionate amount of time writing an exploit that snags 0.01% of users who might a ppt association but it loads into another presentation app and who may not even be running Windows, or do you write one which targets the 99.9% of recipients who are running Windows and PowerPoint?

i.e. do you waste a lot of time for a minimal gain or go for the lowest hanging fruit?

Yes, the number of people opening a ppt with something other than Powerpoint is diminishingly small. It would be a waste of time writing an exploit for that scenario. Hence the reason that machines with a heterogenuous mix of software are far less vulnerable as a rule than those running purely Microsoft stuff.

It doesn't mean they are immune and common sense security still applies, but they are far less likely to be infected in the first place. Secondly, even if you caught a dose, the payload might not wor

I think its great that/. gives me all the news that I care about, but I'm really starting to second guess it. IE: this article is a weekend killer knowing that I will now have to push over 1000 IAVA's sometime in the near future......

It appears to me that it is hard to find software that cannot be exploted somehow, given enough time to dig into every possible way of doing so. Isn't this an indication that there is simply something wrong in the way software is put togeather and executed? Maybe the people who design API's, compilers and whatever is used to make software needs to rethink the way the stuff works... or maybe software is quite simply such a complex task of engineering that to keep it possible, it must also be possible to ex

I see your points. I'm not a professional software developer, but end up doing some coding every now and then to achieve things nessesary for my work, quite simply since my company doesn't have resorces to hire a professional for all such things. None of this code gets any lasting importance however, which I consider important.I am however noticing that the developer world here in Norway(which I encounter from time to time) seems to be professionalising allot. Maybe its a sign of better things to come, w

One of the things that has bitten Microsoft again and again is this common tendency among multiple groups to embed powerful tools in document handling applications. ActiveX in Internet Explorer and the MS HTML control, the myriad scripting tools in Microsoft Office, and of course the very design of.NET is based on the idea that you can "trust" certain documents and allow them to run effectively native code components.This is fundamentally different from the way just about everyone else does things, but Mic

I think it's just a matter of cost. As a piece of (commercial) software approaches absolute security, the cost of development approaches infinity. (maybe not quite THAT extreme, but you get the idea:) For OSS, as it approaches absoulute security, you get version 0.5, 0.9, 0.99, 0.999, etc. So what we end up with is 'good enough'.

I wonder how you address a ZeroDay flaw [unless it means something else] in previous patches.
One could argue that they should've found it first, but most *true* anti-ms sentiment is that they don't fix known bugs.

Latex is a rubbery material formed from the sap of certain trees. LaTeX, on the other hand, is a set of macros written by Leslie Lamport for Donald E. Knuth's TeX typesetting system, with the aim of moving the focus of the source to content rather than form. Beamer is a package for creating presentations that runs atop LaTeX.

Microsoft hardening Windows? Hardly. This latest wave of office exploits is rather a result of the excel exploits found some weeks ago. If one application in a suite is found to contain exploitable bugs then the other ones are likely to exhibit the same behaviour. It's all about return on investment.

Apparently the victim launches the PowerPoint slide show (probably spread via email like every other virus) and it uses PowerPoint to drop the virus and infect the machine. Although the link doesn't say, my guess is that it does this without prompting the user if it's okay to run a macro.

The virus also displays a slide full of Chinese (?) characters. Anyone know what that translates to? "All your slide are belong to us"?

Gee. Wonder why it's not written for the techie/slashdot crowd. Huh. Oh yeah, it's The Washington Post. It has to be understandable to people who aren't complete geeks.

According to a writeup [sans.org] at the SANS Internet Storm Center, the message generated by the virus reads:
"What is love? Sending her 999 roses knowing she doesn't love him.
What is waste? Sending her 999 roses know she loves him."
That SANS advisory also notes that 3 (count 'em THREE) proof of concept exploits have been published for this vulne

It depends how they update windows. If they've switched from windowsupdate [microsoft.com] to microsoftupdate [microsoft.com] then Office updates will be included (as well as updates for some server software like SQL 2005). The switch also changes the automatic update software.